[gatein-issues] [JBoss JIRA] Commented: (GTNPORTAL-1046) GateIn and secure CAS integration: problem with renew parameter
Marek Posolda (JIRA)
jira-events at lists.jboss.org
Thu Apr 8 05:48:38 EDT 2010
[ https://jira.jboss.org/jira/browse/GTNPORTAL-1046?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12524512#action_12524512 ]
Marek Posolda commented on GTNPORTAL-1046:
------------------------------------------
The easiest way to simulate the issue is probably configuration of CAS cookie to be non-secure. So CASTGC cookie can be active with CAS in http://localhost:8888 and no HTTPS is needed.
This can be donne in TOMCAT_HOME/webapps/cas/WEB-INF/spring-configuration/ticketGrantingTicketCookieGenerator.xml by edit p:cookieSecure="false" (CAS 3.3.5).
> GateIn and secure CAS integration: problem with renew parameter
> ---------------------------------------------------------------
>
> Key: GTNPORTAL-1046
> URL: https://jira.jboss.org/jira/browse/GTNPORTAL-1046
> Project: GateIn Portal
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Affects Versions: 3.0.0-GA
> Environment: GateIn+JBoss AS (localhost:8080) integrated with secure CAS,
> Tomcat+CAS with secure connector enabled (https://localhost:9443),
> Sun JDK 1.6
> Reporter: Marek Posolda
>
> I tested GateIn integration with secure CAS (because CASTGC sso cookie is by default enabled only in secure environment). So GateIn is on localhost:8080 and Tomcat with CAS is on https://localhost:9443. I tried this scenario:
> 1) Go to http://localhost::8080/portal/private/classic and beeing redirected to CAS page
> 2) Login in CAS page as root
> 3) I am redirected to GateIn and I am successfully authenticated as user root
> 4) Wait 2 minutes for session expiration (I am testing with HTTP session expiration timeout 1 minute)
> 5) Going again to http://localhost::8080/portal/private/classic
> 6) I am redirected to blank screen now. And exception in server log with this message: "Ticket failed validation specification. Possible errors could include attempting to validate a Proxy Ticket via a Service Ticket validator, or not complying with the renew true request."
> I am attaching full exception stacktrace (cas-renew-exception.txt).
> I founded that problem can occur if "renew=true" parameter is not used in login URL but is used in validation URL. It should be used in both URLs (login and validation) or in none of them. Some links:
> http://tp.its.yale.edu/pipermail/cas/2005-October/001707.html
> http://n4.nabble.com/Problem-in-Cas-renew-parameter-set-to-true-td261396.html
> So I tried two things:
> 1) Use renew in both login and validation URL. So I changed login.jsp to "https://localhost:9443/cas/login?service=http://localhost:8080/portal/private/classic&renew=true". This helps to avoid the issue but I am redirected to CAS screen after session expiration in GateIn
> 2) Avoid renew in both login and validation URL. Now it's hardcoded in org.gatein.sso.agent.cas.CASAgent.validateTicket so I uncomment the line setRenew(true) to avoid renew in validation URL. This also helps and now I am not redirected to CAS screen after session expiration. Because CAS grant me new valid ticket for new GateIn session.
> So conclusion: I think that renew should be used in both places or nowhere. Is it possible to make it configurable and avoid hardcoded setRenew(true) in CASAgent class?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the gatein-issues
mailing list